Commit Graph

7810 Commits

Author SHA1 Message Date
Roman Arutyunyan
d961012799 Version bump. 2020-08-14 12:45:52 +03:00
Sergey Kandaurov
c17bc31d41 SSL: removed OpenSSL 0.9.7 compatibility. 2016-04-11 15:46:36 +03:00
Maxim Dounin
2015a54821 Range filter: fixed duplicate last buffers.
In ngx_http_range_singlepart_body() special buffers where passed
unmodified, including ones after the end of the range.  As such,
if the last buffer of a response was sent separately as a special
buffer, two buffers with b->last_buf set were present in the response.

In particular, this might result in a duplicate final chunk when using
chunked transfer encoding (normally range filter and chunked transfer
encoding are not used together, but this may happen if there are trailers
in the response).  This also likely to cause problems in HTTP/2.

Fix is to skip all special buffers after we've sent the last part of
the range requested.  These special buffers are not meaningful anyway,
since we set b->last_buf in the buffer with the last part of the range,
and everything is expected to be flushed due to it.

Additionally, ngx_http_next_body_filter() is now called even
if no buffers are to be passed to it.  This ensures that various
write events are properly propagated through the filter chain.  In
particular, this fixes test failures observed with the above change
and aio enabled.
2019-05-13 22:44:49 +03:00
Maxim Dounin
ce0f35317e Range filter: fixed loss of incoming chain links.
Filters are not allowed to change incoming chain links, and should allocate
their own links if any modifications are needed.  Nevertheless
ngx_http_range_singlepart_body() modified incoming chain links in some
cases, notably at the end of the requested range.

No problems caused by this are currently known, mostly because of
limited number of possible modifications and the position of the range
body filter in the filter chain.  Though this behaviour is clearly incorrect
and tests demonstrate that it can at least cause some proxy buffers being
lost when using proxy_force_ranges, leading to less effective handling
of responses.

Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
Links are explicitly freed to ensure constant memory usage with long-lived
requests.
2019-05-13 22:44:02 +03:00
Roman Arutyunyan
a39380a41e Unconditional compilation of the postpone filter.
Postpone filter is an essential part of subrequest functionality.  In absence
of it a subrequest response body is sent to the client out of order with
respect to the main request header and body, as well as other subrequests.
For in-memory subrequests the response is also sent to the client instead of
being stored in memory.

Currently the postpone filter is automatically enabled if one of the following
standard modules which are known to create subrequests is enabled: ssi, slice,
addition.  However a third-party module that creates subrequests can still be
built without the postpone filter or be dynamically loaded in nginx built
without it.
2019-05-08 19:22:13 +03:00
Ruslan Ermilov
27b3d3dcca Variables support in proxy_upload_rate and proxy_download_rate. 2019-04-24 16:38:56 +03:00
Ruslan Ermilov
0e2653877e Variables support in limit_rate and limit_rate_after (ticket #293). 2019-04-24 16:38:54 +03:00
Ruslan Ermilov
2ace7fc3e6 Added ngx_http_set_complex_value_size_slot().
If a complex value is expected to be of type size_t, and the compiled
value is constant, the constant size_t value is remembered at compile
time.

The value is accessed through ngx_http_complex_value_size() which
either returns the remembered constant or evaluates the expression
and parses it as size_t.
2019-04-24 16:38:51 +03:00
Vladimir Homutov
2eb2a93d8a Core: enabled "include" in any context (ticket #1615). 2019-04-09 11:40:20 +03:00
Vladimir Homutov
68b147535a Version bump. 2019-04-24 13:41:29 +03:00
Maxim Dounin
d2cf390fc0 release-1.15.12 tag 2019-04-16 17:54:59 +03:00
Maxim Dounin
baa377ce76 nginx-1.15.12-RELEASE 2019-04-16 17:54:58 +03:00
Maxim Dounin
4ca32d6eb3 Updated PCRE used for win32 builds. 2019-04-16 16:32:44 +03:00
Maxim Dounin
f09eae2a75 Fixed incorrect length handling in ngx_utf8_length().
Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.
2019-04-15 20:14:07 +03:00
Maxim Dounin
5784889fb9 OCSP stapling: fixed segfault with dynamic certificate loading.
If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.

The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().

Fix is to explicitly check SSL_get_certificate() result.
2019-04-15 19:13:09 +03:00
Maxim Dounin
aaa1a57060 Version bump. 2019-04-15 19:13:06 +03:00
Maxim Dounin
50e6faf2a4 release-1.15.11 tag 2019-04-09 16:00:30 +03:00
Maxim Dounin
9cbe052339 nginx-1.15.11-RELEASE 2019-04-09 16:00:30 +03:00
Maxim Dounin
09752fce1f Win32: avoid using CFLAGS, just add define instead.
With CFLAGS set as in 7da71a7b141a, OpenSSL compilation drops various
non-important compiler options.  To avoid this, a define is added
instead - OpenSSL is smart enough to recognize -D... in Configure
arguments.
2019-04-04 22:56:41 +03:00
Maxim Dounin
df8cb31369 Win32: defined pdb path.
By default, MSVC uses vc<version>.pdb in the current directory.
With the "-Fd" switch it is directed to be in the objs directory instead.
2019-04-04 19:30:47 +03:00
Sergey Kandaurov
ce912de835 Win32: preserving binary compatibility with Windows XP - Vista.
OpenSSL 1.1.0 and above uses BCrypt if available (Windows 7 or higher).
This results in an unusable binary on older Windows versions, when building
with newer Windows SDK (such as 7.0A).  Using CFLAGS to define _WIN32_WINNT
allows to set a desired ABI and make sure the binary works with Windows XP.

To not mix with other potential CFLAGS uses, it is set in GNUmakefile.
2019-04-04 16:26:56 +03:00
Sergey Kandaurov
7c7d32772d Win32: skip building OpenSSL tests to conserve time and space.
When building OpenSSL 1.1.1b, as used for win32 builds, with tests
it takes about twice as long and near ~1GB of additional disk space.
Using "no-tests" OpenSSL configuration option allows to skip them.
Since such an option is supported since OpenSSL 1.1.1 only, it is
residing here and not in configure.
2019-04-04 16:22:03 +03:00
Sergey Kandaurov
db5c307280 OCSP stapling: open ssl_stapling_file in binary-mode.
OCSP response uses the DER format and as such needs to be opened in binary-mode.
This only has any effect under Win32.
2019-04-03 15:35:39 +03:00
Nikolay Morozov
52d9da8790 SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
If X509_get_issuer_name() or X509_get_subject_name() returned NULL,
this could lead to a certificate reference leak.  It cannot happen
in practice though, since each function returns an internal pointer
to a mandatory subfield of the certificate successfully decoded by
d2i_X509() during certificate message processing (closes #1751).
2019-03-26 09:33:57 +03:00
Sergey Kandaurov
1c906828ae Version bump. 2019-03-26 18:25:08 +03:00
Maxim Dounin
71082ed43a release-1.15.10 tag 2019-03-26 17:06:55 +03:00
Maxim Dounin
6c5955f4b8 nginx-1.15.10-RELEASE 2019-03-26 17:06:54 +03:00
Roman Arutyunyan
912fb44e25 Listen port ranges.
A range is specified with a dash.  For each port in a range a separate listen
socket is created.

Examples:

    listen 8080-9000;
    listen example.com:80-88;
2019-03-06 20:46:09 +03:00
Roman Arutyunyan
b92e8ffa13 Removed sorting of getaddrinfo() results.
Previously the ngx_inet_resolve_host() function sorted addresses in a way that
IPv4 addresses came before IPv6 addresses.  This was implemented in eaf95350d75c
(1.3.10) along with the introduction of getaddrinfo() which could resolve host
names to IPv6 addresses.  Since the "listen" directive only used the first
address, sorting allowed to preserve "listen" compatibility with the previous
behavior and with the behavior of nginx built without IPv6 support.  Now
"listen" uses all resolved addresses which makes sorting pointless.
2019-03-20 20:31:59 +03:00
Roman Arutyunyan
4e17b93eb6 Multiple addresses in "listen".
Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.
2019-03-15 15:45:56 +03:00
Maxim Dounin
59c34b6795 SSL: support for parsing PEM certificates from memory.
This makes it possible to provide certificates directly via variables
in ssl_certificate / ssl_certificate_key directives, without using
intermediate files.
2019-03-09 03:03:56 +03:00
Maxim Dounin
762d98abed SSL: removed redundant "pkey" variable.
It was accidentally introduced in 77436d9951a1 (1.15.9).  In MSVC 2015
and more recent MSVC versions it triggers warning C4456 (declaration of
'pkey' hides previous local declaration).  Previously, all such warnings
were resolved in 2a621245f4cf.

Reported by Steve Stevenson.
2019-03-09 02:55:43 +03:00
Maxim Dounin
0ad4393e30 SSL: moved c->ssl->handshaked check in server name callback.
Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello.  As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.
2019-03-05 16:34:19 +03:00
Maxim Dounin
0808b04c46 SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1.
Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated
renegotiation, and hence can be safely used on all SSL contexts.
2019-03-03 16:49:02 +03:00
Maxim Dounin
fe43346dc3 SSL: fixed potential leak on memory allocation errors.
If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.
2019-03-03 16:48:39 +03:00
Maxim Dounin
99d7bb6909 SSL: server name callback changed to return fatal errors.
Notably this affects various allocation errors, and should generally
improve things if an allocation error actually happens during a callback.

Depending on the OpenSSL version, returning an error can result in
either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
SSL_do_handshake(), so both errors were switched to the "info" level.
2019-03-03 16:48:06 +03:00
Maxim Dounin
fd97b2a80f SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
2019-03-03 16:47:44 +03:00
Maxim Dounin
4e0c46cfe1 Version bump. 2019-03-03 16:47:41 +03:00
Maxim Dounin
16e7120d6c release-1.15.9 tag 2019-02-26 18:29:22 +03:00
Maxim Dounin
3229ec6bcd nginx-1.15.9-RELEASE 2019-02-26 18:29:22 +03:00
Maxim Dounin
6647cbd10b Updated OpenSSL used for win32 builds. 2019-02-26 18:01:30 +03:00
Maxim Dounin
1a30d79c42 SSL: fixed possible segfault with dynamic certificates.
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
2019-02-25 21:16:26 +03:00
Maxim Dounin
ecfab06cb2 SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
2019-02-25 16:42:54 +03:00
Maxim Dounin
fbcb0c8a33 SSL: dynamic certificate loading in the stream module. 2019-02-25 16:42:43 +03:00
Maxim Dounin
8772a0e089 SSL: passwords support for dynamic certificate loading.
Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.
2019-02-25 16:42:23 +03:00
Maxim Dounin
6e5a731edb SSL: variables support in ssl_certificate and ssl_certificate_key.
To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.
2019-02-25 16:42:05 +03:00
Maxim Dounin
9ff7ba3d00 SSL: loading of connection-specific certificates. 2019-02-25 16:41:44 +03:00
Maxim Dounin
20c8700ae7 SSL: reworked ngx_ssl_certificate().
This makes it possible to reuse certificate loading at runtime,
as introduced in the following patches.

Additionally, this improves error logging, so nginx will now log
human-friendly messages "cannot load certificate" instead of only
referring to sometimes cryptic names of OpenSSL functions.
2019-02-25 16:41:28 +03:00
Maxim Dounin
2d7faa2311 SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
The "(SSL:)" snippet currently appears in logs when nginx code uses
ngx_ssl_error() to log an error, but OpenSSL's error queue is empty.
This can happen either because the error wasn't in fact from OpenSSL,
or because OpenSSL did not indicate the error in the error queue
for some reason.

In particular, currently "(SSL:)" can be seen in errors at least in
the following cases:

- When SSL_write() fails due to a syscall error,
  "[info] ... SSL_write() failed (SSL:) (32: Broken pipe)...".

- When loading a certificate with no data in it,
  "[emerg] PEM_read_bio_X509_AUX(...) failed (SSL:)".
  This can easily happen due to an additional empty line before
  the end line, so all lines of the certificate are interpreted
  as header lines.

- When trying to configure an unknown curve,
  "[emerg] SSL_CTX_set1_curves_list("foo") failed (SSL:)".

Likely there are other cases as well.

With this change, "(SSL:...)" will be only added to the error message
if there is something in the error queue.  This is expected to make
logs more readable in the above cases.  Additionally, with this change
it is now possible to use ngx_ssl_error() to log errors when some
of the possible errors are not from OpenSSL and not expected to have
anything in the error queue.
2019-02-25 16:41:15 +03:00
Maxim Dounin
dce5823f59 Style. 2019-02-25 16:41:08 +03:00